60 Power Network Security 

NIAN LIU 


With the application of open and standardized technologies, 
cyber security has become an important issue for the opera- 
tion of power system. In these new technologies, IEC 61850 
series standards, based on open communication protocols, 
are introduced as the fundamentals for control, monitoring, 
and automation. In this article, to present applicability of the 
IEC 61850, three typical application fields including substa- 
tion automation system, wind power plants, and distributed 
energy resources (DER) are selected and described in detail. 
Furthermore, the features of cyber security issues including 
threats, requirements, attacks, and categories, are analyzed. 

Three practical cyber security solutions for the power 
industry are introduced, that is, (1) the IEC 62351 series that 
has been developed for IEC 61850 and other communica- 
tion protocols used in power industry based on transmission 
control protocol/Internet protocol (TCP/IP) are the recom- 
mended technology standard of information security for 
power system control operations, (2) security mechanism for 
web services-based monitoring and control of wind power 
plants, and (3) an access control approach for intelligent elec- 
tronic devices (IEDs) in substation automation system (SAS). 


BACKGROUND 

Automation, control, and monitoring systems are used in 
application domains of power industry like generation, 
transmission, and distribution. Depending on the type and 
purpose of the automation system, its components are dis- 
tributed on local and wide-area scales. The communication 
links and facilities are important elements of such automa- 
tion, control, and monitoring systems. In the past, automation 
systems were not linked to each other and were not connected 
to public networks such as the Internet. Today, the market 
puts pressure on electric power utilities (EPUs) to make fast 
and cost-effective decisions. Also, the development of Smart 
Grid needs more and more information exchange between 
EPUs and customers. For these purposes, accurate and up-to- 
date information about the power plants, substations, and the 
process status have to be available not only on the plant floor 
or substation computers, but also at the management level in 
the EPUs, commercial partners, as well as some customers. 
This results in increasing interconnection between different 
automation systems as well as between automation and office 


systems. Initially, such interconnections were based on spe- 
cialized, proprietary communication mechanisms and proto- 
cols. Today, open and standardized Ethernet technologies as 
well as protocols for Internet are increasingly used for that 
purpose. 

In the terminology of information system security, a risk 
exists if there is vulnerability and threat. Vulnerability is the 
opportunity to cause damage. Vulnerability of an informa- 
tion system may be caused by a logical design flaw (e.g., a 
badly designed protocol), an implementation flaw (e.g., a buf- 
fer overflow), or a fundamental weakness (e.g., passwords 
and cryptographic keys that can be guessed). A threat arises 
from an attacker trying to find and exploit the vulnerability 
in order to inflict damage. Damage may also be caused by 
an incidental, inadvertent exploitation of vulnerability. The 
communication systems of control, monitoring, and automa- 
tion today are to a large extent based on commercial operat- 
ing systems, protocol implementations, and communication 
applications which are known to have vulnerabilities. By 
connecting to the Internet or other public networks, these 
vulnerabilities are exposed to potential attackers. Attackers 
need expertise and motivation. With open Internet technolo- 
gies, the expertise is easily available. Motivations for attack- 
ing communication systems of power industry may be for 
political or economical reasons. In summary, large and inter- 
connected networks of control, monitoring, and automation 
systems are vulnerable to electronics attacks, and the threats 
exist. Therefore, security has become an important issue. 

For the cyber security issues of power industry, this arti- 
cle represents the status of communication networks and sys- 
tems, the features of cyber security issues, and offers some 
practical solutions. 


COMMUNICATION NETWORKS AND SYSTEMS 

To facilitate the communications of control, monitor- 
ing, and automation of power industry, the International 
Electrotechnical Commission (IEC) has published series 
standards, including IEC 61850, IEC 61400-25, etc. In basic 
terms, the “communications” can be separated into four parts: 

1. Information modeling (the types of data to be 
exchanged — nouns) 


880 


© 2012 by Bela Liptak 



60 Power Network Security 881 


2. Information exchange modeling (the read, write, or 
other actions to take on the data — verbs) 

3. Communication protocols (mapping the noun and 
verb models to actual bits and bytes) 

4. Telecommunication media (fiber optics, radio systems, 
wireless systems, and other physical equipment) 

The IEC 61850 standards are originally published for SASs. 
The architecture of the standards include information model, 
information exchange model, and mapping to communica- 
tion protocols. Until recently, the standards published or 
planned to be published based on the architecture of IEC 
61850 are gradually extended to many other fields of power 
control systems, including wind power plants, hydroelectric 
power plants, distributed energy resources, communica- 
tion between substations, distribution automation, advanced 
metering infrastructure, and so on. 

The interrelationship between IEC TC 57 model- 
ing standards is illustrated in Figure 60.1. This illustration 
shows horizontally the three components to an information 
exchange model for retrieving data from the field, namely, 
the communication protocol profiles, the service models, 
and the information models. Vertically, different information 
models are shown: 

1. Substation automation (IEC 61850-7-4) 

2. Monitoring and control of wind power plants (IEC 
61400-25) 

3. Large hydro plants (IEC 61850-7-410) 

4. DER (IEC 61850-7-420) 

5. Distribution automation (under development) 

6. Advanced metering infrastructure (as pertinent to util- 
ity operations) (pending) 

To introduce the communications of control, monitoring, and 
automation of power industry, three typical application fields 
including SAS, wind power plants, and DER are selected to 
describe in detail. 


IEC 61850 models 


IEC 61850 
Object models 

(IEC 61850-7-3, 7-4, 7-410, 7-420) 


IEC 61580 
Service models 

(IEC 61850-7-2 ACSI and GOOSE) 


IEC 61850 

profiles and mapping 
(IEC 61850-8 & 9, web services, OPC/UA) 


Application domains 

► 



Field devices 


FIG. 60.1 

IEC TC 57 modeling standards and application domains. 


SAS 

The functions of a SAS refer to tasks, which have to be per- 
formed in the substation. These are functions to control, 
monitor, and protect the equipment of the substation and its 
feeders. In addition, there exist functions, which are needed 
to maintain the SAS, that is, for system configuration, com- 
munication management, or software management. 

The functions of a SAS may be logically allocated on 
three different levels; (process, bay/unit, or station). These are 

1. Process level devices are typically remote process 
interfaces such as input/outputs (I/Os), intelligent sen- 
sors, and actuators connected by an appropriate pro- 
cess bus. 

2. Bay level devices consist of control, protection, or 
monitoring units per bay. 

3. Station level devices consist of the station computer 
with a database, the operator’s workplace, interfaces 
for remote communication, etc. 

Modeling Approach 

Legacy protocols have typically defined how bytes are trans- 
mitted on the wire. However, they do not specify how data 
should be organized in devices in terms of the application. 
This approach requires power system engineers to manually 
configure objects and map them to power system variables 
and low-level register numbers, index numbers, I/O mod- 
ules, etc. IEC 61850 is unique. In addition to the specifica- 
tion of the protocol elements (how bytes are transmitted on 
the wire), IEC 61850 provides a comprehensive model for 
how power system devices should organize data in a manner 
that is consistent across all types and brands of devices. This 
eliminates much of the tedious nonpower system configura- 
tion effort because the devices can configure themselves. For 
instance, if you put a CT/VT input into an IEC 61850 relay, 
the relay can detect this module and automatically assign it 
to a measurement unit without user interaction. Some devices 
use an SCL file to configure the objects and the engineer 
need only import the SCL file into the device to configure it. 
Then, the IEC 61850 client application can extract the object 
definitions from the device over the network. The result is a 
very large savings in the cost and effort to configure an IEC 
61850 device. 

In IEC 61850, the device model of SAS begins with a 
physical device. A physical device is the device that connects 
to the network. The physical device is typically defined by its 
network address. Within each physical device, there may be 
one or more logical devices. The IEC 61850 logical device 
model allows a single physical device to act as a proxy or 
gateway for multiple devices thus providing a standard repre- 
sentation of a data concentrator. Each logical device contains 
one or more logical nodes. A logical node (see Table 60.1) is 
a named grouping of data and associated services that is logi- 
cally related to some power system function. 


© 2012 by Bela Liptak 


882 


Process Control and Automation Applications 


TABLE 60.1 

Anatomy of Circuit Breaker Logical Node in IEC 61850-7-4 

XCBR Class 

Attribute 

Attribute Name Type Explanation T M/0 

LNName Shall be inherited from logical-node 

class (see IEC 61850-7-2) 


Data 

Common Logical Node Information 


Loc 

SPS 

LN shall inherit all mandatory data 
from common logical node class 
Local operation (local means without 

M 

M 

EE health 

INS 

substation automation communication, 
hardwired direct control) 

External equipment health 

O 

EE name 

DPL 

External equipment name plate 

O 

OpCnt 

INS 

Operation counter 

M 

Controls 

Pos 

DPC 

Switch position 

M 

BlkOpn 

SPC 

Block opening 

M 

BlkCls 

SPC 

Block closing 

M 

ChaMotEna 

SPC 

Charger motor enable 

O 

Metered Values 

SumSwARs 

BCR 

Sum of switched amperes, resetable 

O 

Status Information 

CBOpCap 

INS 

Circuit breaker operating capability 

M 

POWCap 

INS 

Point on wave switching capability 

O 

MaxOpCap 

INS 

Circuit breaker operating capability 

O 

Data name 

CDC 

when fully charged 
Description 

Mandatory/ 


optional 


Each logical node contains one or more elements of 
data. Each element of data has a unique name. These data 
names are determined by the standard and are functionally 
related to the power system purpose. For instance, a circuit 
breaker is modeled as an XCBR logical node. It contains a 
variety of data, including Loc for determining if operation 
is remote or local, OpCnt for an operations count, Pos for 
the position, BlkOpn block breaker open commands, BlkCls 
block breaker close commands, and CBOpCap for the circuit 
breaker operating capability. 

Each element of data within the logical node conforms 
to the specification of a common data class (CDC) per IEC 
61850-7-3. Each CDC describes the type and structure of the 
data within the logical node. For instance, there are CDCs 
for status information, measured information, controllable 
status information, controllable analogue set point informa- 
tion, status settings, and analogue settings. Each CDC has a 
defined name and a set of CDC attributes each with a defined 
name, defined type, and specific purpose. Each individual 
attribute of a CDC belongs to a set of functional constraints 
(FC) that groups the attributes into categories. For instance. 


in the single point status (SPS) CDC described in Table 60.2, 
there are FC for status (ST) attributes, substituted value (SV) 
attributes, description (DC) attributes, and extended defini- 
tion (EX) attributes. In this example, the ST attributes of the 
SPS class consists of a status value (stVal), a quality flag (q), 
and a time stamp (t). 

The IEC 61850 model of a device is a virtualized model 
that begins with an abstract view of the device and its objects 
and is defined in IEC 61850 Part 7. Then, this abstract model 
is mapped to a specific protocol stack in section IEC 61850- 
8-1 based on manufacturing message specification (MMS) 
(ISO9506), TCP/IP, and Ethernet. In the process of mapping 
the IEC61850 objects to MMS, IEC 61850-8-1 specifies a 
method of transforming the model information into a named 
MMS variable object that results in a unique and unambigu- 
ous reference for each element of data in the model. Let us 
assume, that there is a logical device named “Relay 1” con- 
sisting of a single circuit breaker logical node XCBR 1 for 
which you want to determine if the breaker is in the remote or 
local mode of operation. To determine this, one would read 
the object shown in Figure 60.2. 


© 2012 by Bela Liptak 


60 Power Network Security 883 


TABLE 60.2 

Anatomy ofSPS CDC in IEC 61850-7-3 

SPS Class 

Value/Value 

Attribute Name Attribute Type FC TrgOp Range M/O/C 

Data name Inherited from data class (see IEC 61850-7-2) 


Data Attribute 

Status 


stVal 

BOOLEAN 

ST 

dchg 

TRUE 

M 





FALSE 


q 

Quality 

ST 

qchg 


M 

t 

Time stamp 

ST 



M 

Substitution 






subEna 

BOOLEAN 

SV 



PICS_SUBST 

subVal 

BOOLEAN 

SV 

TRUEI 


PICS_SUBST 




FALSE 



subQ 

Quality 

SV 



PICS_SUBST 

subID 

VISIBLE STRING64 

SV 



PICS_SUBST 

Configuration, Description, and Extension 





d 

VISIBLE STRING255 

DC 

Text 


O 

dU 

UNICODE STRING255 

DC 



O 

cdcNs 

VISIBLE STRING255 

EX 



AC_DLNDA_M 

cdcName 

VISIBLE STRING255 

EX 



AC_DLNDA_M 

dataNs 

VISIBLE STRING255 

EX 



AC_DLN_M 


Relay 1 / XCBR 1 $ ST $ LOC $ stVal 



Anatomy of an IEC 61850-8-1 object name. 

Mapping to Communication Profile 

The abstract data and object models of IEC 61850 define a 
standardized method of describing power system devices 
that enables all lEDs to present data using identical struc- 
tures that are directly related to their power system function. 
The abstract communication service interface (ACSI) mod- 
els of IEC 61850 define a set of services and the responses to 
those services that enable all IEDs to behave in an identical 
manner from the network behaviors perspective. While the 
abstract model is critical to achieving this level of interoper- 
ability, these models need to be operated over a real set of 
protocols that are practical to implement and that can oper- 
ate within the computing environments commonly found in 
the power industry. IEC 61850-8-1 maps the abstract objects 
and services to the MMS protocols of ISO 9506. Why was 


a protocol originally designed for manufacturing used? 
Because MMS is the only public (ISO standard) protocol 
that has a proven implementation track record that can eas- 
ily support the complex naming and service models of IEC 
61850. While IEC 61850 can theoretically be mapped to any 
protocol, this mapping can get very complex and cumber- 
some when trying to map IEC 61850 objects and services 
to a protocol that only provides read/write/report services 
for simple variables that are accessed by register numbers 
or index numbers. In such cases, MMS is a very good choice 
because it supports complex named objects and a rich set of 
flexible services that support the mapping to IEC 61850 in a 
straightforward manner. 

The mapping of IEC 61850 object and service models to 
MMS is based on a service mapping where specific MMS 
service/services are chosen as the means to implement the 
various services of ACSI. For instance, the control model of 
ACSI is mapped to MMS read and write services. Then the 
various object models of IEC 61850 are mapped to specific 
MMS objects. For instance, the IEC 61850 logical device 
object is mapped to an MMS domain. The mapping details 
are represented in IEC 61850-8-1. 

In addition to the mapping to the application layer, 
Part 8-1 defines profiles of “other” layers of the commu- 
nication stack that are dependent on the service provided 
(Figure 60.3). Of note on the various profiles: the Sampled 
Values and GOOSE applications map directly into the 
Ethernet data frame thereby eliminating processing of 


© 2012 by Bela Liptak 


884 


Process Control and Automation Applications 


Sampled 

values 

(multicast) 


Generic 

object- 

oriented 

substation 

event 


Time 

sync 


Core 

ACSI 

services 


Generic 

substation 

status 

event 



FIG. G0.3 

Overview of 1EC61850 functionality and associated communication profiles. 


any middle layers; the MMS connection oriented layer can 
operate over TCP/IP or ISO; the generic substation status 
event (GSSE) is an identical implementation as GOOSE 
and operates over connectionless ISO services; all data 
maps onto an Ethernet data frame using either the data 
type “Ethertype” in the case of Sampled Values, GOOSE, 
TimeSync, and TCP/IP or “802.3” data type for the ISO 
and GSSE messages. 

WIND POWER PLANTS 

The communications between wind power plant components 
such as wind turbines and actors such as Supervisory Control 
and Data Acquisition (SCADA) systems are represented in 
the IEC 61400-25 series standard, which is designed for a 
communication environment supported by a client/server 
model. Three areas are defined consistent with IEC 61850, 
that are modeled separately to ensure the scalability of 
implementations: 

• Wind power plant information model 

• Information exchange model 

• Mapping of these two models to a standard commu- 
nication profile 

The wind power plant information model and the informa- 
tion exchange model, viewed together, constitute an inter- 
face between client and server. In this case, the wind power 
plant information model serves as an interpretation frame 
for accessible plant data. The wind power plant informa- 
tion model is used by the server to offer the client a uniform, 


component-oriented view of the plant data. The informa- 
tion exchange model reflects the whole active functionality 
of the server. The IEC 61400-25 series enables connectivity 
between a heterogeneous combination of client and server 
from different manufacturers and suppliers. 

As depicted in Figure 60.4, the IEC 61400-25 series 
defines a server with the following aspect: Information pro- 
vided by a wind power plant component, for example, “wind 
turbine rotor speed” or “total power production of a certain 
time interval” is modeled and made available for access. The 
information modeled in the IEC 61400-25 series is defined 
in IEC 61400-25-2; services to exchange values of the mod- 
eled information are defined in IEC 61400-25-3; mapping to 
a communication profile, providing a protocol stack to carry 
the exchanged values from this information are defined in 
IEC 61400-25-4. 

Information Model 

The wind power plant information model, in Figure 60.4, 
provides the contents required for the information exchange 
that takes place within the framework of the monitoring and 
control between the client and the server. 

The model is deemed to be a standard frame of inter- 
pretation via which the server may process all data, which 
is provided by wind power plants for the external monitor- 
ing and control, into relevant and semantically standardized 
information, and may grant the client access to these data in 
a component-oriented view. 

When developing the wind power plant information 
model, the paradigm of object orientation has been taken 
into account. This approach allows wind power plants to be 


© 2012 by Bela Liptak 


60 Power Network Security 885 



FIG. 60.4 

Communication model oflEC 61400-25 series. 

viewed as information objects and modeling of appropriate 
information architecture. 

The IEC 61400-25 series utilizes the concept of object 
modeling to represent the systems and components of a wind 
power plants to communicate with. This means that all of the 
components in the real world are identified as objects that 
have data such as analogue values, binary status, commands, 
and set points and these objects and data are mapped into 
generic, logical representations of the real world components 
as a wind power plant information model. 

Breaking a real world component down into objects to 
produce a model of that object involves identifying all of the 
data and functionality of each component object. Each data 
has a name and a simple or complex type (a class) and repre- 
sents data in the device to be read or updated. 

Instead of dealing with lists of numbered quantities, an 
object-modeling approach lets us organize and define stan- 
dard names, independent of the manufacturer of the equip- 
ment. For instance, if the equipment has a shaft for which 
the rotational speed is available for reading, then it has the 
same name regardless of the vendor of that equipment and 
can be read by any client program that knows the informa- 
tion model. 

In addition to reading and updating process information, 
other functionalities of the device may include things such as 
historical logs of information, report by exception capabili- 
ties, and actions within the device that are initiated by inter- 
nal or external command and control inputs. 

All of these items imply some type of information 
exchange between the outside world and the real world device 
represented by the wind power plant information model. 

Information Exchange Model 

The information exchange mechanisms rely on standard- 
ized wind power plant information models. These informa- 
tion models and the modeling methods are the core of the 
IEC 61400-25 series. The IEC 61400-25 series uses the 


approach to model the information found in real components 
as depicted in the conceptual overview in Figure 60.5. All 
information made available to be exchanged with other com- 
ponents is defined in the IEC 61400-25 series. The model 
provides for the wind power plant system an image of the real 
world (power system process, generator, etc.). 

The IEC 61400-25 series defines the information and 
information exchange in a way that is independent of a con- 
crete implementation (i.e., it uses abstract models). The IEC 
61400-25 series also uses the concept of virtualization, which 
provides a view of those aspects of a real device that are of 
interest for information exchange with other devices. Only 
those details that are required to provide interoperability of 
devices is defined in the IEC 61400-25 series. 

The approach of the IEC 61400-25 series is to decom- 
pose the functions into the smallest entities, which are used 
to exchange information. The granularity is given by a rea- 
sonable distributed allocation of these entities to intelligent 
dedicated devices (IDDs). These entities are called logical 
nodes (e.g., a virtual representation of a rotor class, with the 
standardized class name, WROT). The logical nodes are 
modeled and defined from the conceptual application point 
of view. Logical nodes are collected in a logical device repre- 
senting, e.g., a complete wind turbine. 

Real components on the right hand side of Figure 60.5 
are modeled into a virtual model in the middle of the figure. 
The logical nodes correspond to functions in the real physi- 
cal devices. In this example, the logical node, WROT, rep- 
resents a specific rotor of the turbine to the right. Based on 
its functionality, a logical node contains a list of data (e.g., 
rotor speed) with dedicated information. The data have a 
structure and a well-defined semantic (meaning in the con- 
text of wind power plant systems). The information repre- 
sented by the data is exchanged by the services according 
to the information exchange services defined. The logical 
nodes and the data contained are crucial for the informa- 
tion model and the information exchange services for wind 
turbines to reach interoperability. The logical nodes and the 


© 2012 by Bela Liptak 


886 


Process Control and Automation Applications 



FIG. 60.5 

Modeling concept of the IEC 61400-25 series. 


data contained are configured by the control information, 
for example, parameters, commands to be accepted, and the 
set point ranges. 

Mapping to Communication Profile 

The information exchange between server and client requires 
a uniform communication protocol on both sides. A specific 
mapping to a communication profile defines how the objects 
in the wind power plant information model and the functions 
and services defined in the information exchange model are 
implemented using a specific protocol stack, that is, a com- 
plete communication protocol. IEC 61400-25-4 specifies in 
detail the communication protocols applied in the IEC 61400- 
25 series. 


The mapping to protocol stacks specified in IEC 61400- 
25-4 is oriented in its structure toward the OSI reference 
model (ISO 7498-1:1994) (Figure 60.6). According to the OSI 
reference model, the communication realized between client 
and server is divided into seven layers. Whereas layer 7, 6, 
and 5 are concerned with application issues (often named as 
the A-Profile), the lower four layers are concerned with data 
transport issues (often named as the T-Profile). 

The mapping of the information model and information 
exchange model are specified in IEC 61400-25-4 with spe- 
cific mappings to five different communication protocols: 

1. Mapping to a set of web services 

2. Mapping to an OPC XML-DA protocol stack 

3. Mapping to an IEC 61850-8-1 MMS protocol stack 


Information model 
IEC 61400-25-2 


Information exchange model 
IEC 61400-25-3 


Mapping 1 Mapping 2 Mapping 3 ... Mapping N 


Application 


Presentation 


Session 


Transport 


Network 


Data link 


Physical 



JL 


— 


JL JJ JL 


Mapping to protocol 
stacks 






c° 4 


•/ 

|c/ sr 


TCP 


IP 


Ethernet,... 


y r 


Other 


Physical 


Out of scope 
Out of scope 


FIG. 60.6 

Mapping to protocol stacks specified in IEC 61400-25-4. 


© 2012 by Bela Liptak 










60 Power Network Security 887 


4. Mapping to an IEC 60870-5-104 protocol stack 

5. Mapping to a DNP3 protocol stack 

DISTRIBUTED ENERGY RESOURCES 

Increasing numbers of DER systems are being intercon- 
nected to electric power systems throughout the world. As 
DER technology evolves and as the impact of dispersed 
generation on distribution power systems becomes a grow- 
ing challenge and opportunity, nations worldwide are rec- 
ognizing the economic, social, and environmental benefits 
of integrating DER technology within their electric power 
infrastructure. 

The manufacturers of DER devices are facing the age- 
old issues of what communication standards and protocols 
to provide to their customers for monitoring and controlling 
DER devices, particularly when they are interconnected with 
the electric utility system. In the past, DER manufacturers 
developed their own proprietary communication technology. 
However, as utilities, aggregators, and other energy service 
providers start managing DER devices which are intercon- 
nected with the electric utility system, they are Ending that 
coping with these different communication technologies 
present major technical difficulties, implementation costs, 
and maintenance costs. Therefore, utilities and DER manu- 
facturers recognize the growing need to have one interna- 
tional standard that defines the communication and control 
interfaces for all DER devices. Such standards, along with 
associated guidelines and uniform procedures, would sim- 
plify implementation, reduce installation and maintenance 
costs, and improve reliability of power system operations. 


Communications for DER plants involve not only local 
communications between DER units and the plant manage- 
ment system, but also between the DER plant and the opera- 
tors or aggregators who manage the DER plant as a virtual 
source of energy and/or ancillary services. This is illustrated 
in Figure 60.7. 

Information model : Part 7-420 of the IEC 61850 defines logi- 
cal nodes that are intended for use with DER. Other objects 
of the information model are identical with SAS (IEC 61850- 
7-3, IEC 61850-7-4). 

Information exchange model : The information exchange 
model is identical with the services modeling for SAS (IEC 
61850-7-2). 

Mapping to communication profile : Mapping to communi- 
cation profile is mapping the information model and infor- 
mation exchange model to MMS, the same as SAS (IEC 
61850-8-1). 


FEATURES OF CYBER SECURITY 
ISSUES IN POWER INDUSTRY 

Cyber Security Threats 

Security threats are generally viewed as the potential for 
attacks against assets. These assets can be physical equip- 
ment, computer hardware, buildings, and even people. 
However, in the cyber world, assets also include information, 
databases, and software applications. 



DER devices 


FIG. 60.7 

Example of a communications configuration for a DER plant. CHP, combined heat and power ; DER, distributed energy resources; LAN, 
local area network; WAN, wide area network; PV, photovoltaics; X=ECPs usually with switches, circuit breakers, and protection. 


© 2012 by Bela Liptak 











888 Process Control and Automation Applications 


Security threats to assets can result from inadvertent 
events as well as deliberate attacks. In fact, often more actual 
damage can result from safety breakdowns, equipment fail- 
ures, and carelessness than from deliberate attacks. However, 
the reactions to successful deliberate attacks can have tre- 
mendous legal, social, and financial consequences that could 
far exceed the physical damage. 

Deliberate threats can cause more focused damage to 
facilities and equipment in substations than the inadver- 
tent threats. The incentives for these deliberate threats are 
increasing as the results from successful attacks can have 
increasingly economic and/or “socio/political” benefits to the 
attackers. Sophisticated monitoring of facilities and equip- 
ment can help prevent some of these threats, while amelio- 
rating the impact of successful attacks through real-time 
notifications and forensic trails. 

The following subclauses discuss some sources of the 
most important threats of power industry to understand and 
to protect against. 

Inadvertent Threats — Safety Failures 

Safety has always been a primary concern for EPUs, par- 
ticularly for those field crews working in the high voltage 
environments of substations. Meticulous procedures have 
been developed and refined over and over again to improve 
safety. Although these procedures are the most important 
component of a safety program, monitoring of the status of 
key equipment and the logging/alarming of compliance to 
the safety procedures through electronic means can enhance 
safety to a significant degree and can benefit other purposes 
as well. 

In particular, although access measures which permit 
only authorized personnel into substations have been imple- 
mented primarily for safety reasons, electronic monitoring of 
these safety measures can also help to prevent some deliber- 
ate attacks, such as vandalism and theft. 

Inadvertent Threats — Equipment Failures 

Equipment failures are the most common and expected 
threats to the reliable operation of the power system. 
Significant work has been undertaken over the years to moni- 
tor the status of substation equipment, such as oil tempera- 
ture, cooling systems, frequency deviations, voltage levels, 
and current overloads. The IEC 62351 does not focus on 
these types of monitoring except where additional informa- 
tion can provide additional physical security. However, often 
the monitoring of the physical status of equipment can also 
benefit maintenance efficiency, possible prevention of certain 
types of equipment failures, real-time detection of failures 
not previously monitored, and forensic analysis of equipment 
failure processes and impacts. Therefore, the total cost-ben- 
efit of some monitoring of physical security can be improved 
by taking these additional consequences into account. 


Inadvertent Threats — Carelessness 

Carelessness is one of the “threats” to protecting assets in 
substations, whether it is permitting tailgating into a substa- 
tion or not locking doors or inadvertently allowing unauthor- 
ized personnel to access passwords, keys, and other security 
safeguards. Often, this carelessness is due to complacency or 
negligence or irritation. 

Deliberate Threats — Disgruntled Employee 

Disgruntled employees are one of the primary threats for 
attacks on power system assets. Unhappy employees who 
have the knowledge to do harm can cause significantly more 
damage than a nonemployee, particularly in the power sys- 
tem industry where many of the systems and equipment are 
very unique to the industry. 

Deliberate Threats — Industrial Espionage 

Industrial espionage in the power system industry is becom- 
ing more of a threat as deregulation and competition involv- 
ing millions of dollars provide growing incentives for 
unauthorized access to information — and for the possible 
damaging of equipment for nefarious purposes. In addition 
to financial gains, some attackers could gain “socio/political” 
benefits through “exposing” the incompetence or unreliabil- 
ity of competitors. 

Deliberate Threats — Vandalism 

Vandalism can damage facilities and equipment with no 
specific gain to the attackers other than the act of doing 
it, and the proof to themselves and others that they can do 
it. Often, the vandals are unaware of or do not care about 
the possible consequences of their actions. Monitoring 
the access to locked facilities and alarming any access 
anomalies in real-time can help prevent most vandalism. 
However, some vandalism, such as shooting equipment in 
the yard from outside the substation, or turning off equip- 
ment and software applications, would require additional 
monitoring. 

Deliberate Threats — Cyber Hackers 

Hackers are people who seek to breach cyber security for 
gain. This gain may be directly monetary, industrial knowl- 
edge, political, social, or just an individual challenge to see 
if the hacker can gain access. Most hackers use the Internet 
as their primary gateway to entry, and therefore most utili- 
ties use a variety of firewalls, isolation techniques, and other 
countermeasures to separate power system operation systems 
from the Internet. 


© 2012 by Bela Liptak 



60 Power Network Security 889 


In the public’s eye, cyber security is often seen only as 
protection against hackers and their associated problems, 
computer viruses, and worms. With the computer systems for 
power operations presumably kept isolated from the Internet, 
many utility personnel do not see any reason for adding 
security measures to these systems. However, as clearly seen 
from these subclauses, this may not be true anymore as net- 
working becomes more prevalent and additional information 
access requirements grow (e.g., vendor remote access, main- 
tenance laptop access, and protective relay engineer access 
for retrieving special data). 

Deliberate Threats — Viruses and Worms 

Like hackers, viruses and worms typically attack via the 
Internet. However, some viruses and worms can be embedded 
in software that is loaded into systems that have been isolated 
from the Internet or could possibly be transmitted over secure 
communications from some unsecure laptop or other system. 
They could include man-in-the-middle viruses, spyware for 
capturing power system data, and other Trojan horses. 

Deliberate Threats — Theft 

Theft has a straightforward purpose — the attackers take 
something (equipment, data, or knowledge) that they are not 
authorized to take. Generally, the purpose has financial gain 
as the motive, although other motives are possible as well. 

Again, monitoring access to locked facilities and alarm- 
ing anomalies in the physical status and health of equip- 
ment (e.g., not responding or disconnected) are the primary 
methods for alerting personnel that theft is possibly being 
committed. 

Deliberate Threats — Terrorism 

Terrorism is the least likely threat but the one with possibly 
the largest consequences since the primary purpose of terror- 
ism is to inflict the greatest degree of physical, financial, and 
socio/political damage. 

Monitoring and alarming for the anomalies access to 
substation facilities may be the most effective means to put 
warning of potential terrorist acts on the operating personnel. 
These acts can lead to collapse of substation or other facili- 
ties. However, terrorists could become more sophisticated in 
their actions, and seek to damage specific equipment or render 
critical equipment inoperative in ways that could potentially 
do more harm to the power system at large than just blowing 
up one substation. Therefore, additional types of monitoring 
are critical, including the status and health of equipment. 

REQUIREMENTS OF CYBER SECURITY 

From the inadvertent and deliberate scenarios, it is clear that 
the sources of cyber security threats are complicated. But 


according to the final actions, there are four types of cyber 
security threats: 

1. Unauthorized access to information 

2. Unauthorized modification or theft of information 

3. Denial of service 

4. Repudiation/unaccountability 

There are, however, many different types of vulnerabilities 
and methods of attacks against these vulnerabilities by which 
these threats might be successful. Security countermeasures 
shall take into account these different types of vulnerabilities 
and attack methods. 

Cyber security vulnerabilities refer to weaknesses 
or other openings in a system that could permit deliber- 
ate or inadvertent unauthorized actions to realize a threat. 
Vulnerabilities may result from bugs or design flaws in the 
system, but can also result from equipment failures and phys- 
ical actions. Vulnerability can exist either in theory or could 
have a known exploit. 

Users, whether they are people or software applications, 
have zero or more of four basic security requirements, which 
protect them from four basic threats (Figure 60.8). In each 
case, authorization requires authentication of the users as a 
basic premise: 

1. Confidentiality: Preventing the unauthorized access 
to information 

2. Integrity : Preventing the unauthorized modification or 
theft of information 

3. Availability: Preventing the denial of service and 
ensuring authorized access to information 

4. Nonrepudiation or accountability: Preventing the 
denial of an action that took place or the claim of an 
action that did not take place 

Cyber Security Attacks and Categories 

Threats can be realized by many different types of attacks, 
some of which are illustrated in Figure 60.8. As can be seen, 
the same type of attack can often be involved in different 
security threats. This web of potential attacks means that 
there is not just one method of meeting a particular security 
requirement: each of the types of attacks that present a spe- 
cific threat needs to be countered. 

In addition, a “chain of attacks” in which a sequence of 
attacks, possibly involving different assets and possibly tak- 
ing place over time, can also realize a given threat. From one 
perspective on security, cyber security can be categorized 
into four areas as illustrated in Figure 60.9. 

Usually all four of these categories need to have secu- 
rity measures applied in order to achieve end-to-end security. 
Just securing one category will typically not be adequate. For 
instance, implementing a virtual private network (VPN) only 
handles threats to the communications transport protocols 


© 2012 by Bela Liptak 


890 


Process Control and Automation Applications 




Requirements 


Confidentiality 

Integrity 

Availability 

Non-repudiation 



FIG. 60.8 

Relations between security requirements and attacks. 


Cyber security categories Typical security attacks Countermeasures 


Human- machine 
interface 


Masquerade, bypass control, 
theft, carelessness, repudiation, 
physical intrusion 


Human role-based and 
individual authentication and 
authorization 


Software applications A 
in computer systems V 


Masquerade, bypass control, 
trojan horse, viruses, 
malfunctions, bugs 


Software authentication, 
authorization, testing, patch 
management 




Communications A 
transport protocols V 


Eavesdropping, masquerade, 
man-in-the-middle, replay, 
resource exhaustion 


Encryption, transmission 
y authentication, access control, 
digital signatures 


ik 

Communications 

media 


Resource exhaustion, path 
failure, traffic analysis, EM/RF 
interception, EM/RF interference 


Restricted access, coding 
encryption, redundant messages, 
redundant paths 


FIG. 60.9 

Cyber security categories. 


and does not prevent one person masquerading as another 
person, nor does it prevent a malicious software application 
in the host computer from communicating over the VPN to 
the device in the field. Thus, these security measures should 
be carefully integrated with each other so that inadvertent 
problems do not occur. 


CYBER SECURITY SOLUTIONS FOR POWER INDUSTRY 

Security Mechanisms Proposed in IEC 62351 Series 

The scope of the IEC 62351 series is information security 
for power system control operations. Security standards have 


© 2012 by Bela Liptak 

























60 Power Network Security 891 


been developed for different profiles of the three communica- 
tion protocols: IEC 60870-5 and its derivatives, IEC 60870-6 
(TASE.2), and IEC 61850. In addition, security through net- 
work and system management has been addressed. These 
security standards should meet different security objectives 
for the different protocols, which vary depending upon how 
they are used. Some of the security standards can be used 
across a few of the protocols, while others are very specific 
to a particular profile. 

In each part of the IEC 62351 series, the security require- 
ments being addressed are stated (e.g., authentication, 
confidentiality). In addition, a proforma implementation con- 
formance statement (PICS), which identifies mandatory and 
optional conformance for different security levels, is included. 

This series is published by the IEC as IEC 62351, Parts 
1-7, as follows: 

• IEC 62351-1: Introduction and overview 

• IEC 62351-2: Glossary of terms 

• IEC 62351-3: Profiles including TCP/IP (this part cov- 
ers those profiles used by ICCP, IEC 60870-5-104, 
DNP 3.0 over TCP/IP, and IEC 61850 over TCP/IP) 

• IEC 62351-4: Profiles including MMS (this part cov- 
ers those profiles used by ICCP and IEC 61850) 

• IEC 62351-5: Security for IEC 60870-5 and deriva- 
tives (i.e., DNP 3.0) (this part covers both serial and 
networked profiles used by IEC 60870-5 and DNP) 

• IEC 62351-6: Security for IEC 61850 profiles (this part 
covers those profiles in IEC 61850 that are not based 
on TCP/IP— GOOSE, GSSE, and SMV) 

• IEC 62351-7: Management information base (MIB) 
requirements for end-to-end network management 


(this part involves the development of MIBs for the 
power system operational environment) 

The correlation between the IEC 62351 series and the IEC 
TC 57 standards is shown in Figure 60.10. 

IEC 62351-3: Profiles Including TCP/IP 

Threats and Types of Attacks Being Countered IEC 62351-3 
provides security for any profile that includes TCP/IP. Rather 
than re-inventing the wheel, it specifies the use of trans- 
port layer security (TLS) which is commonly used over the 
Internet for secure interactions, covering authentication, con- 
fidentiality, and integrity. IEC 62351-3 describes the manda- 
tory and optional parameters and settings for TLS that should 
be used for utility operations. 

The purpose of IEC 62351-3 is to provide end-to-end 
transport security for the communications between software 
applications. In determining the best approach to meet this 
purpose, both IPSec and TLS were analyzed. IPSec is typi- 
cally used to protect all traffic that is exchanged between 
two LAN segments, whereas TLS provides encryption 
and man-in-the middle protection on an end-to-end basis. 
Therefore, TLS was selected rather than IPSec to meet this 
purpose. It is understood and acceptable that IPSec may be 
used to protect other traffic or even be used in conjunction 
with TLS. 

IEC 62351-3 protects against: 

• Eavesdropping through TLS encryption 

• Man-in-the-middle security risk through message 
authentication 



FIG. 60.10 

Scope and outline of IEC 62351 series. 


© 2012 by Bela Liptak 










892 Process Control and Automation Applications 


• Spoofing through security certificates (node 
authentication) 

• Replay, again through TLS encryption 

However, TLS does not protect against denial of service. This 
type of security attack needs to be guarded against through 
implementation-specific measures. 

TLS for TCP/IP provides security for the transport lay- 
ers of the communication profiles. TLS does not provide 
application-layer security, so this should be provided by other 
security measures. 

Security Requirements and Measures To support different 
levels of security, IEC 62351-3 specifies that products claim- 
ing conformance shall support the following capabilities: 

• Interoperability with other devices that have not imple- 
mented either TLS or application authentication. This 
provides the necessary backward compatibility with 
existing implementations and for the gradual updating 
of systems toward using security. 

• Interoperability with other devices that have not 
implemented TLS but do support application authen- 
tication. This can be used for implementations over 
VPN connections to control centers. 

• Interoperability with other devices that have imple- 
mented TLS but not application authentication. This 
permits encryption and node-level authentication only. 

• Interoperability with other devices that have imple- 
mented both TLS and application authentication. This 
provides full security. 

Some of the key elements of the security measures for 
TCP/IP are as follows: 

• Depreciation of SSL 1.0 and 2.0 due to known security 
vulnerabilities. 

• Use TLS 1.0 or higher (which is equivalent to secure 
sockets layer [SSL] 3.1). 

• Deprecate cipher suites that do not provide encryption. 

• Transparent key re-negotiation based upon time and 
number of packets so that lightly loaded networks do 
not lose certification over long time periods, since 
most connections are long term. Both time and num- 
ber are configurable, but the recommended param- 
eters are time (10 min) and number of packets (5000). 

• The entity that was connected to is responsible for key 
negotiation. This avoids protocol deadlocking. 

• Standardization for support for at least one common 
cipher suite, AES. 

• Specification of TLS message authentication to avoid 
spoof and replay. 

• Can request small certificates to minimize the burden. 

Usage of VPN Tunnels and “Bump-in-the-Wire” 
Technology The use of VPN tunnels and/or bump-in-the- 
wire solutions is beyond the scope of the IEC 62351 standards. 


This does not exclude their use as part of an overall security 
solution, so long as it is recognized that they can protect only 
one of the security categories. For further information on 
VPN, please refer to Chapter 32. 

EC 62351-4: Security for Profiles That Include MMS 

Threats and Types of Attacks Being Countered IEC 62351-4 
provides security for profiles that include MMS, including 
TASE.2 (ICCP) and IEC 61850. Security for MMS (ISO 
9506) provides application layer security. It requires TLS to 
configure and makes use of TLS security measures, in par- 
ticular, authentication: The two entities interacting with each 
other are who they say they are. 

If encryption is not employed, then the specific threats 
countered in IEC 62351-4 include unauthorized access 
to information and if IEC 62351-3 is employed, then the 
specific threats countered in IEC 62351-4 include the 
following: 

• Unauthorized access to information through message- 
level authentication and encryption of the messages 

• Unauthorized modification (tampering) or theft of 
information through message-level authentication and 
encryption of the messages 

The following security attack methods are intended to be 
countered by IEC 62351-4. The list is exclusive of the attack 
methods countered through IEC 62351-3. In the case that IEC 
62351-3 is not employed, the threats countered are restricted 
to protection during association establishment: 

• Man-in-the-middle: This threat will be countered 
through the use of a message authentication code 
mechanism specified within this document. 

• Tamper detection/message integrity: These threats 
will be countered through the algorithm used to create 
the authentication mechanism as specified within this 
document. 

• Replay: This threat will be countered through the use 
of specialized processing state machines specified 
within IEC 62351-3 and IEC 62351-4. 

Security Requirements and Measures The combination of 
IEC 62351-3 and IEC 62351-4 provide end-to-end security up 
through the communications application layer, including the 
following types of security: 

• Authentication 

• Confidentiality 

• Data integrity 

• Nonrepudiation 

IEC 62351-4 allows both secure and nonsecure profiles to 
be used simultaneously, so that not all systems need to be 
upgraded with the security measures at the same time. 


© 2012 by Bela Liptak 



60 Power Network Security 893 


EC 62351-5: Security for IEC 60870-5 and Derivatives 

Threats and Types of Attacks Being Countered IEC 62351-5 
provides different solutions for the serial version (primar- 
ily IEC 60870-5-101, as well as IEC 60870-5-102 and IEC 
60870-5-103) and for the networked versions (IEC 60870-5- 
104 and derivates such as DNP3 over TCP). 

Specifically, IEC 62351-5 provides application layer 
authentication which protects against spoofing, replay, 
modification, and some denial of service attacks. It does 
not include encryption, so it does not protect against eaves- 
dropping, traffic analysis, or repudiation. Application layer 
authentication is necessary because site-to-site security and, 
in some cases, TLS do not address the following: 

• Security within each local site 

• Security of serial protocols (such as IEC 60870-5) 
over unencrypted radios 

• Security of serial protocols that have been forwarded 
over IP networks through terminal servers 

• Protection from “rogue applications” or attacks from 
within hosts that may be infected by malware 

• Linking role-based authentication to the remote site 

Today, the security chain for role-based authentication 
for users typically stops within the host. Application layer 
authentication can ensure that only those users authorized 
to see a particular set of data can access it by preventing it 
from being transmitted from the remote site until the user is 
authenticated. 

Security Requirements and Measures The networked ver- 
sions of IEC 60870-5-104 and derivates that run over TCP/IP 
can utilize the security measures described in IEC 62351-3, 
which includes confidentiality and integrity provided by TLS 
encryption. Therefore, the only additional requirement is the 
authentication services provided by IEC 62351-5. 

The serial version is usually used with communica- 
tions media that can only support low bit rates or with field 
equipment that is compute constrained. TLS would be too 
compute-intense and/or communications intense to use in 
these environments. Therefore, the only security measures 
provided for the serial version include simple authentication 
mechanisms. 

Possible Additional Security Measures to IEC 62351-5 If 

encryption is required, other encryption-based security mea- 
sures could be added, such as VPNs or bump-in-the-wire 
technologies, depending upon the capabilities of the com- 
munications and equipment involved. These encryption mea- 
sures act at the transport layer. 

IEC 62351-6: Security for IEC 61850 Profiles 

Threats and Types of Attacks Being Countered IEC 62351-6 
covers the IEC 61850 profile using MMS over TCP/IP which 
uses IEC 62351-3 and IEC 62351-4. 


The security threats that are countered include man-in- 
the-middle, unauthorized modification of data, unauthorized 
modification of messages, tamper detection, and replay. For 
those functions where the performance requirements are not 
as stringent and where confidentiality is required, encryption 
could be added by other security measures such as “bump- 
in-the-wire” or VPNs. 

Security Requirements and Measures The IEC 61850 pro- 
file using MMS over TCP/IP uses IEC 62351-3 and IEC 
62351-4. Additional IEC 61850 profiles that run over TCP/IP 
(web services or other future profiles) will use IEC 62351-3 
plus possible additional security measures developed by the 
communications industry for application-layer security. The 
possible use of these externally developed security measures 
are out of scope for the IEC 62351 chapter. 

IEC 61850 also contains three protocols (GOOSE, GSE, 
and SMV) that are multicast datagram and not routable, 
designed to run on a substation LAN or other nonrouted net- 
work. In this environment, the messages need to be trans- 
mitted within 4 ms; therefore, most encryption techniques or 
other security measures which affect transmission rates are 
not acceptable. Therefore, authentication through a digital 
signature is the only security measure included. The char- 
acteristics of these three protocols are shown in Table 60.3. 

Based on these characteristics, the following security 
measures were determined, as shown in Table 60.4. 

Some of the key elements of the security measures for 
GOOSE and SMV are as follows: 

• Authentication is the primary security measure. 

• Encryption is not included because this adds too 
many bytes to the messages and is not considered that 
important (some hardware encryption might be added 
in future). 


TABLE 60.3 

Characteristics of Three Multicast IEC 6150 Protocols 

P DU Size 

SMV 

GOOSE 

MMS 


-1,500 

-1,500 

>30,000 

Performance type 

Stream 

4 ms 

No requirement 


Multicast 

Multicast 

Connection oriented 


TABLE 60.4 

Security Measures for the Three Multicast IEC 
61850 Protocols 



SMV 

GOOSE 

MMS 

X.509 certificates 

No 

No 

Yes 

(identity) 




Encryption 

Not 

Only if 

Yes 

(confidentiality) 

necessary 

>4 ms 


Tamper detection 

Yes 

Yes 

Yes 

(instruction detection) 





© 2012 by Bela Liptak 



894 Process Control and Automation Applications 


• Key renegotiation is not supported “in-band” because 
it could disrupt the highly critical, high speed flow of 
information. 

• Since security may be implemented over time, and 
because security may or may not be needed for differ- 
ent devices, a nonsecure GOOSE client could ignore a 
secure GOOSE message. 

• For backward compatibility, a reserved field is now 
used for length, so that an extension can be added to 
the end of the GOOSE/SMV message. This extension 
contains the authentication value (digital signature — 
HMAC). Nonsecure clients would simply ignore this 
extension. This adds about 20 bytes. 

• The IEC 61850 substation configuration language 
(SCL) is extended in order to support the exchange of 
certificates. 

Figure 60.11 illustrates the authentication security measure 

in GOOSE/SMV. 


Reserved 



Authentication value 
(digital signature-HMAC) 

FIG. 60.11 

Authentication method for GOOSE/SMV. 


SECURITY IN WEB SERVICE-BASED 
MONITORING AND CONTROL 

Communication Model and Security Requirements 

IEC 61400-25 defines a communication model for monitor- 
ing and control of wind power plants. The modeling structure 
is similar to IEC 61850, which comprises three separately 
defined parts (Figure 60.12): wind power plant information 
model, information exchange model, and mapping of the 
wind power plant information model and the information 
exchange model to standard communication profiles. 

For mapping to web services, the information exchange 
between SCADA and wind power plants are based on simple 
object access protocol (SOAP) message. The mapping process 
is the services defined in ACSI associated with Extensible 
Markup Language (XML) elements in SOAP body. 

The information exchange model provides services that 
are grouped as operational functions and management func- 
tions. The security requirements of these two functions 
include the following: 

1. Authentication: Determining the identity of the user/ 
client 

2. Authorization and access control: Ensuring that the 
entity has the proper access right 

3. Integrity: Ensuring that messages and the computer 
infrastructure are protected against unauthorized 
modification or destruction 

4. Confidentiality: Ensuring that objects of the wind 
power plant information model are protected and only 
disclosed to appropriate users/clients 



FIG. 60.12 

Communication model for wind power plants defined in IEC 61400-25. 


© 2012 by Bela Liptak 







60 Power Network Security 895 



FIG. 60.13 

Designing principles of security mechanism. 

5. Nonrepudiation: Preventing a user/client involved in a 
data exchange from denying that it participated in the 
exchange 

6. Prevention of denial of service: Preventing a client/ 
server from blocking access to authorized users 

In the above requirements, authorization and access control 
can be solved by privilege management and access control 
model, the methods introduced in the next clause. Prevention 
of denial of service needs to deploy suitable defensive mea- 
sures on crucial access point of communication; there has been 
efficient products developed on cyber security domain. Other 
requirements including authentication, integrity, confidential- 
ity, and nonrepudiation should be individually designed com- 
bined with communication process and web services. 

In Figure 60.13, the communication process of wind 
power plants can be divided into three steps: associate, 
data exchange, and release. Each step has different security 
requirements as listed in Table 60.5. 

WS-Security and the Security Token 

WS-Security According to security requirements of web 
services, WS-Security defined the security expanding 


TABLE 60.5 

Security Requirements of Different 
Communication Steps 


Step 

Name 

Security Requirements 

1 

Associate 

Authentication, integrity, 
and no-repudiation 

2 

Data exchange 

Integrity, no-repudiation, 
and confidentiality 

3 

Release 

Integrity and 
no-repudiation 


method for SOAP message exchange. The standard is pub- 
lished by OASIS, which provides security foundation for 
applications of web services. 

Commonly Used Security Tokens for EPUs A security token 
represents a collection (one or more) of claims. It is the basic 
element for authentication, encryption/decryption, integrity, 
and no-repudiation. The security tokens most commonly 
used in EPUs includes: 

1. Username/password: Widely used, basic authentica- 
tion function for almost all information systems, but 
the degree of security is weak, with insecurity risks 
when directly use. 

2. X.509 certificates: Solve the authentication, integrity, 
confidentiality, and no-repudiation based on technol- 
ogy of public key cryptography. The disadvantage is 
that the applications must be deployed on the support 
of public key infrastructure (PKI) which needs more 
investments. 

Designing Principles for the Proposed 
Security Mechanism 

For the presentation and analysis discussed above, the design- 
ing principles are outlined as follows (Figure 60.13): 

1. Can satisfy the requirements of communication pro- 
cess, including authentication, integrity, confidential- 
ity, and no-repudiation. 

2. Integration with the mapping to web services, without 
any changes to standard SOAP messages. 

3. Should conform with WS-Security standard. 

4. The security tokens commonly used in EPUs are 
important and must be taken into consideration. 


© 2012 by Bela Liptak 





896 


Process Control and Automation Applications 


TABLE 60.6 

Comparison of the Two Schemes 

Item 

Scheme I 

Scheme II 

Encryption/decryption 

AES 

RSA, AES 

Signature 

MAC 

RSA 

Derivation of symmetric key 

Calculated from 

Distributed by system or randomized; 


username/password 

generated by message sender 

Security degree 

Normal 

High 

Processing time 

Short 

Long 

Required computation resources 

Low 

High 


Design of the Security Mechanism 

Considering the security tokens commonly used in EPUs, 
the security mechanism is divided into two schemes based 
on username/password and X.509 certificate, respectively. 
In Scheme I, symmetric cryptographic algorithm and mes- 
sage authentication code (MAC) are introduced to mitigate 
the weakness of the username/password token on degree 
of security. In Scheme II, symmetric cryptography is used 
for encryption/decryption of sensitive contents in messages; 
public key cryptography is used for delivering the symmetric 
session key and signing the messages. 

The comparison between two schemes is shown in Table 
60.6. To deal with the security requirements, Scheme I actu- 
alizes encryption and signature functions which based on 
username/password, it also can be easily applied. Scheme II 
can provide much stronger protection for communication, but 
the related computation demand of system resource are much 
higher because of the computation complexity of public key 
algorithms. Therefore, the two schemes should be carefully 
selected according to the application environment. 

Implementation of the Security Mechanism 

Message Extension Based on WS-Security Structure of 
original SOAP message for wind power plants is not enough 
to handle security token and other security properties. The 
extension principle is to add security elements without any 
changes of services mappings defined in IEC 61400-25-4. 

According to WS-Security, the <Security> element in 
SOAP head is used to provide additional security informa- 
tion. The structure of the extended SOAP message is shown 
in Figure 60.14. 

1. Security token: The element is used for authentication 
and is also the resource for encryption/decryption and 
signature/verification, including username/password 
and X.509 certificate. 

2. Signature: Provide integrity and nonreputation for 
messages based on MAC or public key signature 
algorithms. 

3. Encrypted key: Encryption of symmetric key for data 
exchange steps, only applied in Scheme II. 


SOAP head 



SOAP body 

Elements mapping from 
services of IEC 61400-25 

Encrypted data 


FIG. 60.14 

Structure of security extended SOAP message. 

4. Encrypted data: Encryption of the monitoring or con- 
trol data for wind power plants used in data exchange 
steps. 

Design of Security Agent To implement the security 
mechanism, the security agent (SA) with functions of 
XML encryption, signature, process of security attributes, 
and authentication information is designed, and set on both 
communication sides. The structure and functions of SA is 
shown in Figure 60.15. 

1. Process of authentication information: Add security 
token in <security> element or authenticate the send- 
er’s identity by received security token. 

2. Process of additional security attributes: For the 
purpose of protecting against reply attack and man- 
in-the-middle attack, generate and verify the security 
factors including time stamp, randomized value, etc. 

3. Encryption/decryption: Encrypt or decrypt the 

request/response messages based on XML encryption. 

4. Signature/verification: Sign or verify request/response 
messages based on XML signature. 


© 2012 by Bela Liptak 


60 Power Network Security 897 



FIG. 60.15 

Structure and functions of SA. 


ACCESS CONTROL FOR IEDS 

With the development of information technology, the auto- 
mation level of substation system has been increased. The 
IEC 61850-based lEDs use Ethernet to communicate with 
another. Access control is needed when users want to control 
or operate a device. 

Access Control Defined by IEC 61850 

According to IEC 61850-5, the user access to functions or the 
related local networks (LNs), especially to operational func- 
tions, has to be controlled by a set of rules. The access security 
management in between the different LNs, that is, for auto- 
matic functions, is handled during the system configuration by 
the function node identification. The access security manage- 
ment as described here is related to HMI type of users only. 

The access control process is implemented during the 
application association of ACSI. The application association 
model defines: Firstly, the services provided for managing 
association between client and server (two-party applica- 
tion association); secondly, the services provided for man- 
aging association for multicast messaging (e.g., GOOSE and 
transmission of sampled values). The two-party application 


association class conveys service requests and responses 
(thus transferring unconfirmed and confirmed services). 
The multicast application association class shall be capable 
of conveying unconfirmed services (in one direction only). 
Application association needs a mechanism for controlling 
the access to the instances of a device. 

The access control model provides the capability to 
restrict the access of a specific client to class instances, class 
instance attributes, and ACSI services acting upon class 
instances of a specific server. The ACSI server contains a set 
of logical devices, logical nodes, data, or report controls. The 
set of instances visible, and therefore accessible, to a client is 
restricted on the basis of the identification of the client and 
the access control specification of the server. This restricted 
set is called a virtual access view. A virtual access view may 
not only restrict the visibility of instances or attributes but 
also the supported service. The concept of a virtual access 
view is illustrated in Figure 60.16. 

Two users (A and B) have different virtual access views 
(View 1 and View 2) of the server. View 1 allows just one data 
(XCBR.OperCnt) to be accessed remotely. View 2 allows all 
data to be accessed. 

The intention of IEC 61850 is to implement the virtual 
access view in the server of a device, thus providing access 


© 2012 by Bela Liptak 


898 


Process Control and Automation Applications 



FIG. 60.16 

Instance of virtual access view. 


restriction to any user who tries to access the instances. 
Independent of the implementation in the device, additional 
access restriction may be implemented at the user side, for 
example, local password or a simple key on the keyboard. 

A client (or a subscriber in the case of multicast appli- 
cation association) shall be identified by authentication 
parameters passed to the server when establishing the asso- 
ciation with the server (two-party application association) 
or when sending information over multicast application 
associations. 

IEC 61850 only defines a simple way to resolve the 
access control problem. But the authentication method like 
password shall be easily destroyed by malicious attacks, and 
mechanisms at the client side, like privilege management, are 
outside the scope of IEC 61850. So, a strong cryptographic 
authentication and privilege management method are needed 
in the application. 

Privilege Management Infrastructure 
Based Access Control 

Edition 4 of X.509, published by the ITU-T in 2001, is the 
first edition to fully standardize the certificates of a privilege 
management infrastructure (PMI). Earlier versions of X.509 
have concentrated on standardizing the certificates of PKIs. 
This article assumes the reader is already familiar with the 
general concepts of PKIs, and these will not be repeated here. 

The X.509 PMI is to authorize what its PKI is to authenti- 
cate. Consequently, there are many similar concepts in PKIs 
and PMIs. These are summarized in Table 60.7. 

Whilst public key certificates (PKCs) are used to main- 
tain a strong binding between a user’s name and his pub- 
lic key, an attribute certificate (AC) maintains a strong 
binding between a user’s name and one or more privileges 
attributes. The entity that digitally signs a PKC is called a 
certification authority (CA), whilst the entity that signs an 
AC is called an attribute authority (AA). The root of trust 


TABLE 60.7 

Comparison of PKI and PMI 

Concept 

PKI Entity 

PMI Entity 

Certificate 

PKC 

AC 

Certificate issuer 

CA 

AA 

Certificate receiver 

Subject 

Holder 

Certificate binding 

Subject’s name 

Holder’s name to one or 


to public key 

more privilege attributes 

Revocation 

CRL 

ACRL 

Root of trust 

Root CA 

SOA 

Subordinate 

Subordinate CA 

AA 

authority 




of a PKI is sometimes called the root CA whilst the root of 
trust of the PMI is called the source of authority (SOA). CAs 
may have subordinate CAs which they trust, and to which 
they delegate the powers of authentication and certification. 
Similarly, SOAs may delegate their powers of authorization 
to subordinate AAs. If a user needs to have his signing key 
revoked, a CA will issue a certificate revocation list (CRL). 
Similarly if a user needs to have his authorization permis- 
sions revoked, an AA will issue an attribute certificate revo- 
cation list (ACRL). 

Privilege Delegation Model of Substation System 

Privilege Delegation The privilege delegation model 
includes privilege manager, power corporation SOA, substa- 
tion management AA, LDAP server and user. The privilege 
manager defines all the privilege policy in the system. Power 
corporation SOA is the ultimate authority to assign these 
privileges. SOA can assign part of its privilege to AAs. For 
example, a power corporation SOA may assign the privileges 
of substation operation and control to a substation manage- 
ment AA. AA is an authority which assigns privileges by 


© 2012 by Bela Liptak 





60 Power Network Security 


899 



FIG. 60.17 

Privilege delegation model. 


issuing ACs. Two types of ACs called role assignment AC 
and role specification AC can be assigned by AA. Both are 
stored in a LDAP server. The role assignment ACs are issued 
to users who are the employees of the power corporation. 
Role specification ACs are issued to roles which are defined 
by the privilege manager. Take substation management for an 
example. The roles may be defined by the level of expertise 
of the operator (manager, substation operator, administrator, 
etc.) or the area of knowledge of the operator (protection, 
control, etc.). All the users in substation management can be 
assigned to roles. The structure of PMI-based privilege del- 
egation model is illustrated in Figure 60.17. 

Role-based access control (RBAC) is that the separation 
between users and permissions. In general, the relations 
between roles and permissions are very steadily. The privi- 
lege of a user can be changed by regulating the assignment of 
roles to the user, and this benefit is very useful in the substa- 
tion access management. The configuration of IEDs is not 
needed to change while the regulation of privileges can be 
fulfilled by de-allocating roles to operators. 

The access control policy of the substation devices must 
be defined by specialists of information security and electric 
power system. The IEC 61850 Part 5 has consulted some fac- 
tors which should be considered when defining the policy. 
The entity of access control policies includes subject, role 
and target, and these three entities are associated by role 
assignment policy and target access policy. The access con- 
trol policy is illustrated in Figure 60.18. 

1. Subject: is the privilege holder which is identified by 
holder field in role assignment ACs. It asserts the priv- 
ilege to targets and is verified by privilege verifier. 

2. Role: is mainly the abstract of the subject’s work which 
is defined by the privilege manager. It can be classified 
by the level of expertise or the area of knowledge of 
the operator in substation management. 


Subject 


Role 


Target 



FIG. 60.18 

RBAC-based access control policy. 


3. Target: is the pointer of resource object. It can be 
denoted by object reference method (LDName/ 
LNName [.Name[. ...]]) of IED information model 
defined by IEC 61850. 

4. Role assignment policy: is the mechanism to estab- 
lish the relation between subjects and roles. It can be 
achieved by setting role attributes in the attributes 
field of role assignment AC. 

Target Access Policy Target access policy defines the privi- 
lege of role to access the target. The policy may be defined 
using any syntax, including plain text. The policy which can 
easily be transformed to virtual access view defined by the 
application association model of IEC 61850. 

Action Action defines the access way to target by subject. 
The action defined by IEC 61850 includes create (allows the 
user to create certain classes of application objects within 
the specific LN), delete (allows the user to delete applica- 
tion objects within the specific LN), view (allows the user to 
acquire details concerning the existence of an object and the 
object definition), set/write (allows the user to set attribute 
values of an object), get/read (allows the user to get attribute 
values of an object), and execute (allows the user to execute 
the permitted application service). 


© 2012 by Bela Liptak 




900 Process Control and Automation Applications 



220 ky 
110 kV 


FIG. 60.19 

220kV/110kV substation single line diagram. 


Access Control System of Substation Automation 

Functional Modeling of a Substation Bay Unit The access 
control is based on the substation operation. A 220kV/110kV 
substation single-line diagram is illustrated in Figure 60.19. 

Take bay unit E1Q3 for an example. The function can be 
allocated in XSWI, XCBR, TVTR, TCTR LNs of process 
level and CSWI, CILO, CPOW, PTOC, MMTR, MMXU 
LNs of bay level, shown in Figure 60.20. 

Architecture of Access Control System The access control 
system illustrates how control is exerted over access to the 
sensitive object. There are three components in the architec- 
ture: The user, the access SA, and the data object in IED as 
illustrated in Figure 60.21. 

We have modeling of these LNs in a logical device, 
E1Q3. As we have known from above, operations from sub- 
station level or remote control center are directly on LN 
CSWI restricted by virtual access view. We defined these 
three LNs in the LD: qalCSWI, qa2CSWI, and qa3CSWI. 
The data attributes involved in control services include: ctl- 
Val (the value to be controlled), operTm (the time when to 
operate for the TimeActivatedOperate service), origin (indi- 
cating who issued the service), and ctlNum (control sequence 
number). 

As an example, we use “push” method illustrated in the 
PMI to realize the authentication and authorization. In this 



FIG. 60.20 

Function modeling of bay unit E1Q3. 

method, user must send his PKC and AC to indicate the iden- 
tity and privilege. An access SA has been designed to authen- 
ticate the user’s identity and parse the PMI AC to get user’s 
access privilege, then generate a virtual access view and 
store on LD E1Q3 to restrict user’s access to sensitive object. 

Implementation of Virtual Access View Virtual access view 
is defined by IEC 61850 to achieve the access control for mul- 
tiusers. This concept is just like the access control matrix. 
A subject can access an object if the required access right 
appears in the matrix. We can get a user’s privilege from the 
target access policy of AC and implement in the access con- 
trol matrix. An instance is illustrated in Table 60.8. 

In this instance, we take three data attributes and two 
users for an example. Userl has the right to set the value of 
qalCSWI.Pos.ctlVal, get the value of qalCSWI. Pos.stVal, 
and view qalCSWI. Pos.q information, but User 2 can only 
view qalCSWI.Pos.ctlVal, qalCSWI. Pos.stVal and have the 
right to read the value of qalCSWI. Pos.q. 

Operation Sequence with Access Security According to 
IEC 61850, authentication and authorization process is in 
application association service. In our system, this process is 
verified by access SA. The operation sequence is illustrated 
in Figure 60.22. 

The six steps are 

Step 1. User establishes an associate by sending an associ- 
ate request including PKC and AC in authentication 
parameter. 


© 2012 by Bela Liptak 



60 Power Network Security 901 



FIG. 60.21 

Access control system with authentication. 


TABLE 60.8 


Instance of Access Control Matrix 

qalCSWI. 

qalCSWI. qalCSWI. 

Pos.ctlVal 

Pos.stVal Pos.q 

User 1 Set 

Get View 

User 2 View 

View Read 


Step 2. Access SA acts as a proxy to receive the request and 
implement authentication and privilege parse process to 
verify the user’s identity and get user’s access privilege. 

Step 3. Access SA uses access control matrix to realize 
the virtual access view and stores this access control 
matrix in IED. 

Step 4. Access SA makes an associate response to the user. 


Step 5. User is granted to make operations or access data 
objects in IED under the restriction of access control 
matrix. 

Step 6. User finishes the operation and releases the 
association. 

CONCLUSIONS 

The evolution of power industrial communication systems 
toward increasing interconnection with other enterprise 
networks or even the Internet, together with a continuously 
stronger reliance on open standards such as the TCP/IP pro- 
tocol suite, creates an increased exposure of automation sys- 
tems to network-based attacks. Consequently, information 
system security for power industry is growing in importance. 


User 


Access security agent 


Data object 



FIG. 60.22 

Operation sequence with access security. 


© 2012 by Bela Liptak 








902 Process Control and Automation Applications 


Information system security for power industrial auto- 
mation and communication systems has only very recently 
emerged as a new field in academic and industrial research. 
Although there are many possible solutions such as access 
control and securing communication, these are proposed to 
protect against cyber security threats. However, the experi- 
ences in these fields are still limited. The importance of this 
research field will grow in the near future, because security 
considerations and mechanisms are increasingly required 
as a part of standards-based best practices and also because 
EPUs recognize the business case for protecting substations 
and power plants against electronic attacks. 

Bibliography 

Cleveland F., IEC TC57, Security standards for the power system’s 
information infrastructure — beyond simple encryption, in 
Proc. IEEEPES TD 2005/2006, Geneva: IEC. pp. 1079-1087, 
2006. 

Dzung D., M. Naedele, T. Von hoff, and M. Crevatin, Security for 
industrial communication systems. Proc. IEEE, 93(6), 1 152 — 
1177, June 2005. 

IEC 61400-25-1, Wind turbines — Part 25-1: Communications 
for Monitoring and Control of Wind Power Plants — Overall 
Description of Principles and Models, Dallas, TX, December 
2006. 

IEC 61400-25-2, Wind turbines — Part 25-2: Communications for 
Monitoring and Control of Wind Power Plants — Information 
Models, December 2006. 

IEC 61400-25-3, Wind Turbines — Part 25-3: Communications for 
Monitoring and Control of Wind Power Plants — Information 
Exchange Models, Geneva: IEC, December 2006. 


IEC 61400-25-4, Wind Turbines — Part 25-3: Communications for 
Monitoring and Control of Wind Power Plants — Mapping to 
Communication Profile, 2007. 

IEC 6 1 850- 1 , Communication Network and Systems in Substations — 
Part 1: Introduction and Overview, Geneva: IEC, 2003. 

IEC 61850-5, Communication Networks and Systems in 
Substations — Part 5: Communication Requirements for 

Functions and Device Models, Geneva: IEC, 2003. 

IEC 61850-7-2, Communication Networks and Systems in 

Substation — Part 7-2: Basic Communication Structure for 
Substation and Feeder Equipment — Abstract Communication 
Sendee Interface (ACSI), Geneva: IEC, 2003. 

IEC 61850-8-1, Communication Networks and Systems in 

Substation — Part 8-1: Specific Communication Sendee 

Mapping (SCSM)— Mapping to MMS (ISO/IEC 9506-1 and 
ISO/IEC 9506-2) and to ISO/IEC 8802-3, IEC, 2003. 

IEC 61850-9-1, Communication Networks and Systems in 

Substation — Part 9-1: Specific Communication Sendee 

Mapping (SCSM) — Sampled Values Over Serial Unidirectional 
Multidrop Point to Point Link, Geneva: IEC, 2003. 

IEC TS 62351-1, Power Systems Management and Associated 
Information Exchange — Data and Communications Security — 
Part 1: Communication Network and System Security — 
Introduction to Security Issues, May 2007. 

Liu N., B. Duan, J. Wang, and S. Huang, Study on PMI-based access 
control of substation automation system, in Proc. IEEE PES 
General Meeting, Montreal. Quebec, Canada. June 18-22, 
2006. 

Liu N., J. Zhang, W. Liu, A security mechanism of web services- 
based communication for wind power plants, IEEE Trans. 
Power Del., 23(4), 1930-1938, 2008. 

Nadalin C., Kaler R., Monzillo et al., Web Services Security: SOAP 
Message Security 1.1, OASIS Standard Specification, 2006. 


© 2012 by Bela Liptak 



